Synolocker ‘Service’ Demands 0.6 Bitcoin To Decrypt Your Photos

Any system has its vulnerabilities. But as we get more and more connected, we sometimes expose ourselves to new threats that did not exist before. Many times on this site (and others) we recommended to backup your photos to a safe location. One of the more popular solutions is the Synology disk station.

k.salo at the Synology forums reports that his Disk station was hacked by a ransomeware, his files encrypted and that he is asked demanded to pay 0.6 bitcoins to restore the system.

My Diskstation got hacked last night. When I open the main page on the webserver i get a message that SynoLocker has started encrypting my files and that I have to go to a specific address on Tor network to get the files unlocked. It will cost 0.6 BitCoins. It encrypts file by files. Therefore I started to copy my most important files to another disk while encryption was in progress on other files. After the most important files was copied I turned of my disk.

Quick math shows that 0.6 bitcoins are about $350. The attackers are cleverly maliciously hiding their operations in the TOR network which means that their identities are completely hidden.

As salo notes, there is a way out if you catch it in an early stage as the encryption works file by file. You can copy the critical files and shut the station down until a solution is found.

Twitter Mike Evangelist shows the terrifying screen that you see if you’ve been infected:

It seems that the team over Synology is aware of the issue and is seeking solutions. In the meantime it may be a good idea to disconnect any disk station from the network.

While it is not clear how the Disk station was compromised, current research points at SynoLocker being a variant of Cryptolocker, a ransomware causing headaches to millions worldwide. This is another reminder of the risks we take when we embrace new technologies.

UPDATE: Synology reports that this maleware only affects older version of the firmware, and recommends upgrading ASAP. They also provide instructions for safekeeping your station:

Synology is fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

I’d assume someone got access to the box, because it’s not like you’d use it to browse the web. I wonder if it was front facing, or using the router components. Hopefully Synology gets on this, as that’s quite unsettling owning a Synology box myself.

Baldor

According to Synology “this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013.”

Clinton Lofthouse is a Photographer, Retoucher and Digital Artist based in the United Kingdom, who specialises in creative retouching and composites. Proud 80's baby, reader of graphic novels and movie geek!
Find my work on My website or follow me on Facebook or My page